Posts Tagged ‘risks’

For nearly a decade I have been regularly coming back to one of the hardest problems in security, measuring it. There are lots of opinions and no shortage of books full of candidate metrics and there are swathes of consultants prepared to give you a spreadsheet of metrics to go measure and develop a red/amber/green dashboard to understand them. It does seem to require practitioners to dig a bit deeper often to find a good approach to developing metrics and measurements that are actually of value to a particular organisation.

This post captures some of the thinking I’ve distilled from some of the big thinkers in the field. Talking of big thinkers…

“When you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely in your thoughts advanced to the state of science.” —Lord Kelvin, 1824-1907

“It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.” —Sir Arthur Conan Doyle, 1887

“Security is now so essential a concern that we can no longer use adjectives and adverbs but must instead use numbers.” — Dan Geer, 2008